SolidStamp Blog

SolidStamp Smart Contract Auditor Report - November 2018
edition

November 7th, 2018

Watching Watchmen: Meet smart contract auditors

Smart contracts are the heart of the Ethereum blockchain. Every dApp we engage with
contains a smart contract created to dictate how it works at the most basic level. It is
safe to say we should expect smart contract creators to produce sound and stable smart
contracts. But the proverb, trust but verify, exists for a reason. Smart contract
auditors are the independent verification mechanism to determine if the intentions and
goals of the contract’s creator were rendered into the language of the blockchain. This
verification is essential. Because of this importance, we want to shed some light on the
organizations doing the audits to verify the integrity of the smart contracts powering
the Ethereum blockchain.

We want to shed some light on the organizations doing the audits to verify the
integrity of the smart contracts powering the Ethereum blockchain

Our report details a list of 17 smart contract
auditing firms. It includes our analysis of 197
publicly available smart contract audits to visualize the scope and size of audits by
these particular companies. From this data, we have focused on what we see as the key
metrics to consider when choosing a smart contract auditor:

Size and seniority of the company as determined by the
number of public audits performed in last 2 years

Total amount of Ether passing through the audited contracts

Number of distinct addresses that have interacted with the
audited contracts

Total token valuation of token audits conducted

Number of distinct addresses holding the audited tokens

Ratio of token-related audits to all other audits to see the
degree of token-only audit activity

See further below for a detailed description of our methodology and the raw data we
used. Click here for the previous edition of the report.

This list is not ranked and is in alphabetical order
only. Furthermore, SolidStamp does not endorse any particular auditor. The data
below comes from publicly available information and should not be treated as investment
or financial advice. Beyond quantitative data, it is important to consider qualitative
metrics like the quality of work performed, individual auditor experience, and the
specific scope of the audit you are commissioning.

Selected information about auditors on the list:

Authio (https://authio.org)
is a blockchain consulting firm offering a range of services to bring a project from whiteboard
to production. Authio's method is to focus heavily on internal R&D as a means to understand the
rapidly evolving ecosystem and always offer the best possible solution to clients. Their services
cover initial design consultation, development, and end-of-line audits.

Chainsecurity (https://chainsecurity.com)
uses the tools directly out of research labs at Switzerland’s ETH Zurich, to validate the correctness and uncover vulnerabilities in smart contracts. A thorough expert audit focuses on defining an exact functional specification, proves that it holds using formal verification tools and uncovers security, design and architecture issues in the analyzed code. Crypto projects rely on the detailed public audits by ChainSecurity to ensure top-grade security for their smart contracts and protocols.

Chainsulting (https://chainsulting.de/)
is a blockchain consulting company in Germany providing
smart contract development and audit, individual blockchain solutions, token sale
advisory and cryptocurrency investments. Previous and current clients of Chainsulting
come from countries such as Australia, USA, Switzerland and Germany. The team includes
blockchain developers, financial experts and experienced project managers.

CoinFabrik (https://www.coinfabrik.com) is a blockchain
development company specialized in smart contract coding and security audits. Their
prime objective is to provide safe and clean smart contract code to customers worldwide.
They audited important ICOs as Status.im, Patientory, Mona.co and participated in
writing the smart contract code in successful ICOs which were able to raise millions of
dollars. The company currently has 40 employees and it has been growing at a fast pace
in the past 2 years.

Consensys Diligence (https://consensys.net/diligence/) is the arm
of Consensys dedicated to performing audits, building security tools and promoting best
practices in the Ethereum ecosystem.

Hosho (https://hosho.io/)
is the blockchain security company. They offer smart contract auditing service ensuring
code behaves as intended. Founded in 2017 and based in Las Vegas, NV.

iosiro (https://www.iosiro.com/)
is a specialist blockchain security company based in South Africa. iosiro's mission is
to help companies entering the blockchain space do so safely and securely by securing
both on-chain and off-chain systems. They offer penetration testing services, smart
contract auditing as well as anti-phishing services to companies in the space all over
the world and contribute to a number of open source security projects in the space.
Their anti-phishing service protects some of the largest decentralised exchanges in the
space, and their smart contract audits have secured millions of dollars raised during
crowdfunds.

New Alchemy (https://newalchemy.io/)
is a strategy and technology advisory group specializing in tokenization on the
blockchain. They offer a full spectrum of guidance from tactical technical execution to
high-level theoretical modeling. New Alchemy provides technology, token game theory,
smart contracts, security audits, and ICO advisory.

Nomic Labs (https://nomiclabs.io/)
help early stage blockchain projects launch and secure their offering by designing, building and auditing decentralized systems.

Quantstamp (https://quantstamp.com/)
helps to secure blockchain applications such as smart contracts. Quantstamp is developing a new protocol
for smart contract verification, performing professional audits and consultations, and developing
security tools. Quantstamp also has expertise in application security and secure software development.

Sigma Prime (https://sigmaprime.io/)
is a team of researchers, developers and security professionals working in the
blockchain and cybersecurity space.

SoHo Token Labs (https://sohotokenlabs.com/)
is building developer tools for smart contracts. This is a multi-billion dollar market
that will be unlocked by STL’s software (by addressing the issues that prevent smart contract
usage from mainstreaming). Elissa Shevinsky, CEO launched Everyday Health (IPO), Geekcorps
(acquired) and more recently was Head of Product at Brave.

Solidified (https://solidified.io/)
launched in early 2017 and has established itself as the #1 full-audit service for smart
contracts. Having helped secure companies such as Gnosis, Polymath, Bankera, Melonport
and more than 50 others, Solidified has established itself as the leader for
high-quality technical audits on Ethereum. With 200+ Solidity experts and more than 85M
EUR secured, Solidified has the largest verified community of auditors, its own
dedicated bug bounty platform and incorporates all stages of technical due diligence to
bulletproof smart contracts.

Trail of Bits (https://www.trailofbits.com) since 2012, has
helped secure many organizations and products. They combine high-­end security research
with a real­ world attacker mentality to reduce risk and fortify code.

Zero Knowledge Labs (http://zklabs.io/)
provides smart contract development and auditing services for projects built on the
Ethereum platform, as well as general crypto protocol design and consulting

Our methodology and raw data

Our report is based on 197 smart contract audits
listed by the auditors on SolidStamp or
found on the Internet. We only considered audits that had a clear indication of
client-side commissioning. Audit dates come from either the audit report as indicated
or, lacking this, off of the GitHub commit date. Total values for number of public
audits, number of 2017 audits and total audits from 2018 is a direct sum of all audits
performed, broken down by year.

For each audit, SolidStamp and Etherscan provided the mainnet addresses of the audited
contracts. Only addresses with a verified and available contract source code on
Etherscan were considered.

We called the symbol(), totalSupply()
and decimals() functions for each token contract to
determine its symbol and total supply. Each token symbol was plugged into CoinAPI to download the latest token price in
terms of Eth. For tokens listed on multiple exchanges, we determined the mean price.

Token valuation equals the average price multiplied by total supply. Note: Total Token
Value [Eth] is a sum of the valuation of all the audited tokens.

We calculated turnover for each audited address (both token and not-token) i.e. how much
Ether was sent to and from each audited contract. Note: Total Contract Turnover [Eth] is the
sum of turnover for all the audited addresses.

For both the token and non-token audited address, we calculated how many addresses
(both regular addresses and contracts) interacted via sending Ether or calling a
function with the audited contract. Note: Number of Addresses using the Contract is
the sum of the interacting addresses for all the audited addresses.

For tokens, we calculated how many addresses (both regular addresses and contracts) currently hold
the audited token. Note: Number of Token Holders is
the sum of the distinct addresses holding all the audited tokens.

Dividing the number of token related audits by the total number of public audits performed by
each auditor provides the % of Token Audits.

We contacted every auditor listed at least seven days in advance of publishing this report. We
shared our findings and asked for further review and verification. Any comments or
statements shared were done so with the expressed permission of the comment’s
author.

Disclaimer

This is the second edition of our report and we made every effort to ensure the accuracy
and validity of any data published here. However, there is always room for improvement.
Please contact us if you believe we have made an error or you
would like us to include additional data in future editions.

Matthew Di Ferrante, founder of Zero Knowledge Labs - a smart contract auditing company listed in this
report - is an advisor to SolidStamp. He did not influence the report content.

The report makes no warranties or claims regarding the accuracy, quality or performance
of particular smart contract auditors and the smart contracts audited. The results of
this report should not be treated or considered as investment advice.

About SolidStamp

SolidStamp connects smart contract users and security auditors to ensure the safety of
their Ether and tokens. We maintain an on-chain database of smart contract audits so
you can be sure you are investing your funds securely. SolidStamp allows you to hire
top-notch security specialists to audit the contract you plan to use to confirm their
authenticity and security.

An auditor’s SolidStamp account does not factor into a listing on the report.